•Secure—VPN tunnel only applies to voice and Cisco Unified IP Phone services. A PC connected to the PC port is responsible for authenticating and establishing it own tunnel with VPN client software.

Supported Devices

You can use Cisco Unified Reporting to determine which Cisco Unified IP Phones support the VPN client. From Cisco Unified Reporting, click Unified CM Phone Feature List. For the Feature, choose Virtual Private Network Client from the pull-down menu. The system displays a list of products that support the feature.

For more information about using Cisco Unified Reporting, see the Cisco Unified Reporting Administration Guide.

Configuring the VPN Feature

To configure the VPN feature for supported Cisco Unified IP Phones, follow the steps in the following table.

Table 4-1 VPN Configuration Checklist

Configuration Steps

Notes and Related Procedures

Step 1

Set up the VPN concentrators for each VPN Gateway.

For configuration information, refer to the documentation for the VPN concentrator; such the following:

Note The ASA software must be version 8.0.4 or later, and the "AnyConnect Cisco VPN Phone" license must be installed.

Note To avoid long delays when the user upgrades the firmware or configuration information on a remote phone, Cisco recommends that you set up the VPN concentrator close in the network to the TFTP or Cisco Unified Communications Manager server. If this is not feasible in your network, you can set up an alternate TPTP or load server that is next to the VPN concentrator.

Note To avoid long delays when the user upgrades the firmware or configuration information on a remote phone, Cisco recommends that you set up the VPN concentrator close in the network to the TFTP or Cisco Unified Communications Manager server. If this is not feasible in your network, you can set up an alternate TPTP or load server that is next to the VPN concentrator.

Step 4 Configure the VPN feature. You can use the Sample IOS configuration summary bellow to guide you with the configuration.

Note To use the phone with both certificate and password authentication, create a user with the phone MAC address. Username matching is case sensitive. For example:username CP-7975G-SEP001AE2BC16CB password k1kLGQIoxyCO4ti9 encrypted

Sample IOS configuration summary

You can use the following sample IOS configuration for VPN client on IP phone as a general
guideline to creating your own configurations. The configuration entries can change over time.

Current configuration: 4648 bytes

!

! Last configuration change at 13:48:28 CDT Fri Mar 19 2010 by test

!

version 15.2

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

!

! hostname of the IOS

hostname vpnios

!

boot-start-marker

! Specifying the image to be used by IOS - boot image

boot system flash c2800nm-advsecurityk9-mz.152-1.4.T

boot-end-marker

!

!

logging buffered 21474836

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login webvpn local

aaa authorization exec default local

!

aaa session-id common

!

clock timezone CST -6

clock summer-time CDT recurring

!

crypto pki token default removal timeout 0

!

! Define trustpoints

crypto pki trustpoint iosrcdnvpn-cert

enrollment selfsigned

serial-number

subject-name cn=iosrcdnvpn-cert

revocation-check none

rsakeypair iosrcdnvpn-key 1024

!

crypto pki trustpoint CiscoMfgCert

enrollment terminal

revocation-check none

authorization username subjectname commonname

!

crypto pki trustpoint CiscoRootCA

enrollment terminal

revocation-check crl

authorization username subjectname commonname

!

!

! Certificates

crypto pki certificate chain iosrcdnvpn-cert

certificate self-signed 04

crypto pki certificate chain CiscoMfgCert

certificate ca 6A6967B3000000000003

crypto pki certificate chain CiscoRootCA

certificate ca 5FF87B282B54DC8D42A315B568C9ADFF

crypto pki certificate chain test

certificate ca 00

dot11 syslog

ip source-route

!

!

ip cef

!

!

!

ip domain name nw048b.cisco.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

voice-card 0

!

!

!

license udi pid CISCO2821 sn FTX1344AH76

archive

log config

hidekeys

username admin privilege 15 password 0 vpnios

username test privilege 15 password 0 adgjm

username usr+ privilege 15 password 0 adgjm

username usr# privilege 15 password 0 adgjm

username test2 privilege 15 password 0 adg+jm

username CP-7962G-SEP001B0CDB38FE privilege 15 password 0 adgjm

!

redundancy

!

!

!--- Configure interface. Generally one interface to internal network and one outside